Vulnerability	Vulnerable Version
M Access of Resource Using Incompatible Type ('Type Confusion') Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') through an upstream type-confusion bug in `seroval` package. An attacker can trigger unintended execution of a different client-referenced server function by sending a specially crafted JSON payload. This may result in unexpected side effects or bypass of request-level middleware, potentially impacting observability or audit logging. Note: The impact is limited to server functions that are already directly reachable `_serverFn()` function or the target function's full middleware chain — including any user-supplied authentication, authorization, and inputValidator. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `@tanstack/start-server-core` to version 1.167.30 or higher.	<1.167.30

Access of Resource Using Incompatible Type ('Type Confusion')

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') through an upstream type-confusion bug in seroval package. An attacker can trigger unintended execution of a different client-referenced server function by sending a specially crafted JSON payload. This may result in unexpected side effects or bypass of request-level middleware, potentially impacting observability or audit logging.

Note:

The impact is limited to server functions that are already directly reachable _serverFn() function or the target function's full middleware chain — including any user-supplied authentication, authorization, and inputValidator.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade @tanstack/start-server-core to version 1.167.30 or higher.

<1.167.30

Go back to all versions of this package